CanSecWest is a conference, and 2013’s conference once again involved the Pwn2Own contest for hackers, an elite (1337) competition. The concept remained simple and will always that if you pwn a fully-patched browser running on a fully-patched laptop, you get to keep the laptop.

However, different rules applied this year. It involved successfully demonstrating the exploit, providing the sponsor (HP) the fully functioning exploit, and all details involved with the vulnerability used in the attack. If there were many vulnerabilities, multiple reports are needed, etc.

The work couldn’t be sold to anyone else, and proof of concept would belong to HP once sold. Basically, HP buys the winning exploits for own use. Their idea of reward money was the following:

Google Chrome on Windows 7 = $100,000

IE10 on Windows 8 = $100,000 or IE9 on Windows 7 = $75,000.

Mozilla Firefox on Windows 7 = $60,000

Apple Safari on Mac OS X Mountain Lion = $65,000

Adobe Reader XI and Flash Player = $70,000

Oracle Java = $20,000

It was assuredly a blast at the competition, no doubt about it.

DAY ONE: Java, Chrome, IE10, and Firefox PWNED!!!

(Where’s Safari, right? It survived!)

The idea behind each attack is the ability to browse to an untrusted website where you’re able to inject and run arbitrary code outside of the browsing environment.

Of course, one of the rules is: “A successful attack … must require little or no user interaction and must demonstrate code execution… If a sandbox is present, a full sandbox escape is required to win.”

In addition to Chrome, Firefox, and IE10 being pwned, Java was pwned three times on the first day. Once by James Forshaw, Joshua Drake, and VUPEN Security. VUPEN Security also led a lot of the pack of issues by successfully exploiting IE10 and Firefox as well.

The only other exploit was by Nils & Jon, where both successfully exploited Chrome.

The day after the first day of Pwn2Own, Mozilla and Google patched the exploits that were pushed out. Amazingly fast, Firefox went on to version 19.0.2 (which you should’ve been updated automatically), and Chrome went on to version 25.0.1364.160 (effectively patching 10 vulnerabilities).

“We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users,” said Michael Coates, Mozilla’s director of security assurance, in a Thursday blog.

Microsoft has decided to wait until next week’s Patch Tuesday run of updates to push out the fix for the Internet Explorer exploit on IE10.

DAY TWO: Adobe Reader and Flash Player PWNED!!! Java PWNED AGAIN!!!

The last day of Pwn2Own 2013 went with a BANG!

Flash Player…exploited by VUPEN Security (any surprise?). Adobe Reader PWNED by George Hotz. Java once again was exploited, this time proxied by Ben Murphy.

Who’re the overall prize winners?

James Forshaw, Ben Murphy, and Joshua Drake for Java – each $20,000

VUPEN Security for IE10 + Firefox + Java + Flash – $250,000

Nils & Jon for Google Chrome – $100,000

George Hotz for Adobe Reader – $70,000

Of course, George Hotz is best known for jailbreaking the iPhone and PlayStation 3. He’s still in progress with a lawsuit with Sony over the issue for PS3.

Share this:

Like this:

Firefox 19 now has a PDF viewer (Yay, bells and whistles)! Time to kick Adobe Reader, you know, because of all the exploits.

According to TheNextweb.com, Firefox 19 “includes PDF.js, a JavaScript library intended to convert PDF files into HTML5, which was started by Andreas Gal and Chris Jones as a research project that eventually picked up steam within Mozilla Labs.

Technically, the tool has been in Firefox for many versions, but you had to manually enable it. The whole point of the built-in PDF viewer is to avoid having to use plugins with proprietary closed source code “that could potentially expose users to security vulnerabilities.””

The new PDF viewer doesn’t even require a secondary plugin or anything! It has its own ability to draw images and text.

A little more explained:

“Firefox for Windows, Mac and Linux introduces a built-in browser PDF viewer that allows you to read PDFs directly within the browser, making reading PDFs easier because you don’t have to download the content or read it in a plugin like Reader. For example, you can use the PDF viewer to check out a menu from your favorite restaurant, view and print concert tickets or read reports without having to interrupt your browsing experience with extra clicks or downloads,” Mozilla said.

In addition to that exciting news, Firefox 19 also fixes an HTTPS phishing flaw, which was reported by Michal Zalewski, Google security researcher. It details an issue with a proxy’s 407 response, where if a user canceled the proxy’s authentication prompt, the browser continues to display the address bar. This can be spoofed by attackers, by telling them to enter credentials. Read more in the Mozilla advisory about this.

In Firefox, if you’re not automatically prompted to update, then do so as soon as possible by clicking the Firefox tab at the top left corner of the browser, hovering over Help >, click on About Firefox. You may also have to click Check for updates in the window that pops up. You should be patched.

Also, check out the posts today about Java and Adobe Reader being patched as well. It’ll be time to update everything at once.

Like this:

We’ve discussed over the past couple of weeks some of the things that happened in 2012, and things we’re focused on coming into the new year. There is a surge in a lot of security concern over several different issues, including Android malware, Anonymous, cyberwar, among other things. Here is a comprised list of the top concerns this Winter that we’ll be investigating on a continual basis.

Identity Theft – this can be a problem for most people that get viruses and other malware on their computer. It can also be a problem on social networks. It is best to have a good antivirus and keep your social networking information safe. You don’t have to enter everything in your profile. Leave some fields blank so it is more trivial for the unsuspecting stalker. Sadly, you cannot know who’s viewed your profile, which makes it more difficult to discover stalkers. Hmm…hint Facebook.

Spear-Phishing – plain and clear, spear-phishing is similar to identity theft. This is done by email-spoofing, which the attacker is masking him-or-herself as a legitimate company with legitimate looking emails. However, these emails are only subject to make you click and to either steal your information, or distribute malware, or even both. Normally, this is a big problem over the holidays, but now it’s starting to become widespread no matter the time of year.

Human Error and the Failure to Update – Vulnerabilities – It is true that humans forget a lot of things. One of the biggest security risks we have always faced is that users fail to update their browser plugins and programs on their computer. However, through the use of this vulnerability, attackers exploit and send malware your way. Using a vulnerability scanner can help you keep managed of this atrocity.

Browser Hijackers and Junkware – we still continue to see the problem of browser hijackers and junkware being distributed in installers for legitimate programs. What’s sad is, the royalties are so high for software developers to add in the install code for junkware, that the developers don’t know how bad the issue is. From Babylon Toolbar to Claro Search…these toolbars and homepage hijackers are unnecessary and technically need to be done away with. Good thing our security community has the ability to remove this crap with our special tools.

Malware growth on Other Platforms – it’s no surprise that malware problems are lighting up on the iOS now, as well as Linux. It sure will start to become a problem this year. Even more on Windows 8 and Android than any other device.

Android Malware Growth – This has become one of the biggest problems right now in the computing world is the steady high growth of malware on the Android platform. It will continue to be a problem, sadly.

Anonymous Cyberattacks, and Government Cyberwar – we will still see cybercrime and cyberwar problems continue this year.

Stay in tune with this blog for further updates.

Share this:

Like this:

Quite a week in the vulnerabilities sector, as Adobe already fixed quite a few flaws in Flash Player and AIR. Now, Apple has fixed nine vulnerabilities in QuickTime. Meanwhile, Adobe has ignored the Reader flaws that are currently pending, and could be exploited soon.

For QuickTime, most of the vulnerabilities were for buffer overflows. QuickTime is Apple’s media playback technology. Only Windows users XP SP2 and Up have to update – Mac OS X was not affected. See the security update from Apple for more information on what was fixed. You can update on QuickTime by visiting http://www.apple.com/QuickTime

As for Adobe Reader…well that’s a long story. Here’s the short version of it… A Moscow-based security firm, Group-IB, has identified a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. The vulnerability has an ability to sidestep Adobe Reader’s sandboxing mechanism, in order to exploit the code. Only working on Windows, the exploit requires users to close the web browser for it to work correctly.
Adobe spokespeople state the problem cannot be identified, and therefore there is nothing to fix.

To keep your computer protected from exploits, please see the following:

Share this:

Like this:

Kaspersky Lab is currently working on their own operating system from scratch, which includes the ability to help monitor business and government servers, further protecting them from government malware attacks. Government malware include Stuxnet, Flame, Duqu, Gauss, etc.

The whole point of the OS is to protect the various complex industrial systems we see today, especially in government facilities, corporations, and other industrial sectors.

Many government agencies are in fear that their systems/servers are still compromised, and without a good operating system, these systems/servers may still be at risk. Meanwhile, some companies/government facilities are overwhelmed with the idea of having to update their programs, keep patches up-to-date, etc., and also keeping the system continually running. Therefore, a secure operating system is a good plan to be in the works.

Kaspersky Lab held the operating system as a secret for quite a while, but now will be releasing information and updates: “Quite a few rumors about this project have appeared already on the Internet, so I guess it’s time to lift the curtain (a little) on our secret project and let you know (a bit) about what’s really going on,” Eugene Kaspersky, CEO of Kaspersky Lab, said in a blog post.

Apparently, the protocols SCADA (Supervisory Control and Data Acquisition) and PLCs (Programmable Logic Controllers) don’t require authentication to access them, which present a huge security risk. With that in mind, the secure OS will work on making that more of a secure approach.

With these new ideas into a secure OS, it will pave the way for a greater security realm in the industrial, corporate, governmental sectors, etc.